[Date Prev][Date Next] [Chronological] [Thread] [Top]

Solaris 9, TLS, LDAP



I noticed that the thread on this dried up a few months ago. Has anyone managed to use "tls:simple" authentication on a Solaris 9 machine talking to OpenLDAP (2.0.27) using the native nss libraries? Everything worked with "simple" authentication.
With "tls:simple" my experiments show


1) Surprisingly (?) communication appears to be over port 636 rather than 389
2) id <non-existent uid> returns "invalid user name" immediately.
3) id <valid uid> returns with uid and gid but only after 120 seconds! The ldap logs show that the proxy bind is successful and the uid lookup is correct, but then they also show several "deferring operation" messages every 30 secs during the 2 minutes. ssldump shows connection is being broken and re-established.


$ ./ssldump -i eri0

New TCP connection #1: wesson.central.susx.ac.uk(33945) <-> ldaptest.central.susx.ac.uk(636)
1 1 0.0146 (0.0146) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 2 0.0157 (0.0010) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
e5 a8 5c 5b 3c 57 a0 8c c7 e0 c3 82 ed 63 88 6a
7e e2 0e 33 7f fb 08 a3 b7 a5 4f 5d 09 6d 57 dc
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0157 (0.0000) S>C Handshake
Certificate
1 4 0.0157 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.0428 (0.0270) C>S Handshake
ClientKeyExchange
1 6 0.0428 (0.0000) C>S ChangeCipherSpec
1 7 0.0428 (0.0000) C>S Handshake
1 8 0.0728 (0.0300) S>C ChangeCipherSpec
1 9 0.0728 (0.0000) S>C Handshake
1 10 0.0742 (0.0013) C>S application_data
1 11 0.0762 (0.0020) S>C application_data
1 12 0.0778 (0.0016) C>S application_data
1 13 0.0812 (0.0033) S>C application_data
1 14 0.0817 (0.0005) S>C application_data
1 15 0.0833 (0.0016) C>S application_data
1 16 0.0837 (0.0003) C>S Alert
1 0.0837 (0.0000) C>S TCP FIN
New TCP connection #2: wesson.central.susx.ac.uk(33946) <-> ldaptest.central.susx.ac.uk(636)
1 17 0.0870 (0.0032) S>C Alert
1 0.0871 (0.0001) S>C TCP FIN
2 1 0.0043 (0.0043) C>S Handshake
ClientHello
Version 3.1
resume [32]=
e5 a8 5c 5b 3c 57 a0 8c c7 e0 c3 82 ed 63 88 6a
7e e2 0e 33 7f fb 08 a3 b7 a5 4f 5d 09 6d 57 dc
cipher suites
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
compression methods
NULL
2 2 0.0067 (0.0023) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
e5 a8 5c 5b 3c 57 a0 8c c7 e0 c3 82 ed 63 88 6a
7e e2 0e 33 7f fb 08 a3 b7 a5 4f 5d 09 6d 57 dc
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
2 3 0.0067 (0.0000) S>C ChangeCipherSpec
2 4 0.0067 (0.0000) S>C Handshake
2 5 0.0096 (0.0029) C>S ChangeCipherSpec
2 6 0.0096 (0.0000) C>S Handshake
2 7 0.0096 (0.0000) C>S application_data
New TCP connection #3: firle.central.susx.ac.uk(693) <-> home.central.susx.ac.uk(2049)
2 8 30.0106 (30.0010) C>S application_data
2 9 30.0110 (0.0003) C>S Alert
2 30.0110 (0.0000) C>S TCP FIN
New TCP connection #4: wesson.central.susx.ac.uk(33947) <-> ldaptest.central.susx.ac.uk(636)
2 10 30.0155 (0.0045) S>C Alert
2 30.0156 (0.0001) S>C TCP FIN


etc, etc.

4) su - <valid uid> returns after 60 secs (with "deferring operation" after 30 secs) with

su: No default project!

Any ideas anyone?
--
Dave
--
Dave Lewney
Principal Systems Programmer, Computing Service
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956